As Phishing and Malware attacks remain the largest form of cyber-attack in Italy, staying vigilant of the threats circulating both currently and in the recent past remains to be a wise course of action. MalSpam attacks have been increasing in frequency, disguising themselves as emails from proper sources, only to hijack your system through a disguised piece of malware.
In this article, we look at the 5 pieces of malware that are either affecting Italy today or have done in the past 6 months, how they work and what you can do to protect yourself from them.
Immuni App Ransomware
Hackers have taken advantage of the recent release of the Immuni Covid-19 tracing app to create a piece of ransomware that clones the download and functionality of a normal coronavirus tracking program.
The ransomware itself is spread through an email campaign in which recipients are invited to visit a perfect clone of the Fofi (Federazione Ordini Farmacisti Italiani) website. Once landed, users are greeted with a homomorphic clone of the site, asking users to download an executable file named ‘IMMUNI.exe’.
Once downloaded, the IMMUNI.exe file begins to offload the FuckUnicorn malware, starting the infection. All the while this is happening, the victim is shown a tracking interface detailing Covid-19 infection rates across the world.
All the while the victim is looking at the screen above, the following folders were found to be targeted for encryption: Desktop, Links, Contacts, Documents, Downloads, Pictures, Music, OneDrive, Saved Games, Favourites, Searches, and Videos.
According to analyst Paolo Dal Checco, the malware itself seems to be heavily based on the Tear Malware, stating that “ the criminals were not particularly precise in coding something new or indecipherable, so much so that potentially the encryption password can even be intercepted and the files decrypted without paying the ransom.”
TIM Invoice Scam
The TIM invoice scam comes as part of the roll out of a malicious email campaign mimicking the telephone operator, TIM. The hack itself targets certified email accounts (PEC) addressed to Italian companies and the public administration.
While the malware itself is based on the FTCode ransomware, it no longer spreads through malicious Microsoft Word macros, and instead uses email to present a single URL for download. As the email would recall the subject text of a previous email conversation the victim would have had with the sender, victims would be tricked into thinking the email was legitimate.
Upon following the link, victims would be invited to download a .zip file containing an archived VBS file that, once executed, would run the malware and display an image reproducing a real TIM telephone bill. While the image is being displayed, sensitive user credentials are then exfiltrated to an external server owned by the hackers.
What separates this malware from the rest featured in this list is the fact that upon infection, there is no way to recover the encrypted files. As the average cost of a data breach in Italy according to the Ponemon Institute is US$3.52 mil., this serves as a sobering reminder to follow your organisation’s security protocol when receiving suspicious emails.
Maze Ransomware
The Maze ransomware is notorious for its widespread use around the globe. In Italy, the ransomware was disguised as fake communications from the Inland Revenue, using the institution’s logo and official references to legitimise the attack.
In each attack, users would receive a Word document named ‘VERDI.doc’ armed with malicious macro code that, if executed, would start the download and subsequent activation of the Maze ransomware.
In the event of infection, a victim would be presented with a ‘DECRYPT-FILES.txt’ file detailing how to pay the ransom in bitcoin and recover their data. The hackers behind the ransomware even go so far as to have a ‘support site’ in which victims can communicate directly with the hackers on decryption details.
Ransomware Attacks in PAs
Ensuring a certain level of cyber security culture has been signalled as a key solution priority for many of ItaliaSec’s delegates. Ransomware attacks that targets public administration organisations are only effective due to the medium-low cyber literacy rate of their employees.
These attacks are often powered by the FTCode and sLoad ransomwares, containing a single link hosted on a file-sharing site such as Dropbox. The malware itself encrypts all user data, randomly exfiltrating the victim’s personal data.
CoronaLocker
When compared to the other pieces of malware on this list, the CoronaLocker malware appears to be relatively tame. As described by security researcher Max Kersten, this ‘amateur example of ransomware’ is disguised as a WiFi hacking program called ‘wifihacker.exe’.
When run, the executable file blocks access to the computer by putting up a screen lock and playing audio of the word ‘Coronavirus’ repeatedly via a speech API. Unlike the other pieces of ransomware featured here, CoronaLocker does not encrypt the files on the infected system despite claims saying otherwise.
Again, we see here how hackers often take advantage of anxieties faced by users worldwide, this time using the coronavirus pandemic as a means of attack. Interested in learning more about how the coronavirus has affected the Italian threat landscape? Have a read of our piece here!
So How Can You Protect Yourself?
Protecting yourself from ransomware attacks is relatively simple if you have a team dedicated to securing your IT assets – simply follow the procedure set and get in touch with them should you have any questions.
For those of you who’d like to stay extra vigilant, be sure to try the following:
- Virus scans focus on behavioural analysis to detect any unauthorised operations
- Apply the principle of ‘least privilege’
- Network traffic monitors
- Staff awareness & training
For further insights into how to best protect yourself from cyber threats, join us at ItaliaSec in Milan on 17th – 18th November!
Learn more about the expert sessions taking place at the event by viewing our full agenda and view our A-list Speaker line-up here.
